Action Dispatch Content Security Policy
Configures the HTTP Content-Security-Policy response header to help protect against XSS and injection attacks.
Example global policy:
Rails.application.config.content_security_policy do |policy|
policy.default_src :self, :https
policy.font_src :self, :https, :data
policy.img_src :self, :https, :data
policy.object_src :none
policy.script_src :self, :https
policy.style_src :self, :https
# Specify URI for violation reports
policy.report_uri "/csp-violation-report-endpoint"
end
- MODULE ActionDispatch::ContentSecurityPolicy::Request
- CLASS ActionDispatch::ContentSecurityPolicy::Middleware
- B
- I
- N
- P
- R
- S
- U
Attributes
[R] | directives |
Class Public methods
new() Link
Instance Public methods
block_all_mixed_content(enabled = true) Link
Specify whether to prevent the user agent from loading any assets over HTTP when the page uses HTTPS:
policy.block_all_mixed_content
Pass false
to allow it again:
policy.block_all_mixed_content false
build(context = nil, nonce = nil, nonce_directives = nil) Link
# File actionpack/lib/action_dispatch/http/content_security_policy.rb, line 291 def build(context = nil, nonce = nil, nonce_directives = nil) nonce_directives = DEFAULT_NONCE_DIRECTIVES if nonce_directives.nil? build_directives(context, nonce, nonce_directives).compact.join("; ") end
initialize_copy(other) Link
plugin_types(*types) Link
Restricts the set of plugins that can be embedded:
policy.plugin_types "application/x-shockwave-flash"
Leave empty to allow all plugins:
policy.plugin_types
report_uri(uri) Link
Enable the report-uri directive. Violation reports will be sent to the specified URI:
policy.report_uri "/csp-violation-report-endpoint"
require_sri_for(*types) Link
Specify asset types for which Subresource Integrity is required:
policy.require_sri_for :script, :style
Leave empty to not require Subresource Integrity:
policy.require_sri_for
sandbox(*values) Link
Specify whether a sandbox should be enabled for the requested resource:
policy.sandbox
Values can be passed as arguments:
policy.sandbox "allow-scripts", "allow-modals"
Pass false
to disable the sandbox:
policy.sandbox false
upgrade_insecure_requests(enabled = true) Link
Specify whether user agents should treat any assets over HTTP as HTTPS:
policy.upgrade_insecure_requests
Pass false
to disable it:
policy.upgrade_insecure_requests false